Every mature security awareness program was once a blank page. Behind every organization with a well-functioning phishing simulation cadence, a trained and reporting workforce, and a board-level security culture dashboard, there was a moment when someone had to figure out where to start.
If you are at that moment—tasked with building a security awareness program from nothing, or rebuilding one that has collapsed into annual compliance checkboxes—this guide is for you.
Building an effective security awareness program does not require a large team, a massive budget, or years of security expertise. It requires a structured approach, a realistic understanding of what produces behavior change, and the commitment to execute consistently over time. The guide below provides exactly that structure—a sequenced, step-by-step process that takes you from zero to a functioning, improving program.
Before You Begin: Getting the Foundations Right
The most common mistake organizations make when building security awareness programs is jumping directly to execution—picking a platform, launching a simulation, rolling out training—without establishing the strategic foundation that determines whether those activities will produce meaningful outcomes.
Before running a single simulation or assigning a single training module, three foundational questions need clear answers.
What outcomes are you trying to produce? Security awareness programs can serve multiple objectives simultaneously—reducing phishing click rates, improving suspicious email reporting rates, meeting compliance requirements, building executive confidence in human risk management, reducing the frequency and cost of social engineering-related incidents. These objectives are not identical, and they can sometimes create tension with each other. Getting explicit about your primary objectives before you start ensures that your program design choices are oriented toward what you actually need to achieve.
Who owns this program? In many organizations, security awareness programs fall into ownership ambiguity—security teams see it as an HR function, HR sees it as an IT function, IT sees it as a security function. This ambiguity produces programs that nobody feels fully accountable for, which is why they often fail to run consistently. The program needs a named owner with the authority to run simulations, coordinate with HR and IT, and report results to leadership. If that person is you, make that explicit and get organizational confirmation before you begin.
What does success look like in twelve months? Set concrete, measurable targets before you start. A click rate target, a reporting rate target, a training completion target, a schedule for how often simulations will run. These targets will look different depending on your starting point and your organizational context, but they need to exist—because without them, you have no way to evaluate whether the program is working and no basis for the ROI conversations that keep the program funded.
Step 1: Conduct a Threat and Risk Assessment
A security awareness program that is not connected to the specific threats your organization faces is a program designed for someone else. The first substantive step in building your program is understanding your organization's actual phishing and social engineering risk profile.
This assessment does not need to be elaborate. It needs to answer four questions:
What industries and business sectors is your organization part of, and what types of social engineering attacks are most prevalent in those sectors? Healthcare organizations face different attacker priorities than financial services firms, which face different threats than technology companies. Industry-specific threat intelligence shapes which simulation scenarios are most relevant and which training topics are most important.
What specific business processes in your organization are most vulnerable to social engineering? Wire transfer authorization, employee payroll management, vendor payment processing, access credential management, sensitive data handling—identify the specific workflows that, if compromised through social engineering, would cause the most significant harm. These processes and the employees involved in them become your highest-priority training and simulation targets.
What technical security controls are already in place, and what gaps do they leave for human-layer attacks to exploit? An organization with strong email filtering will see fewer mass-market phishing attempts reach employee inboxes—but may underestimate the risk from the sophisticated targeted attacks that technical filters are less effective against. Understanding your technical defense posture helps define what human-layer training needs to compensate for.
What regulatory or compliance obligations govern your security training requirements? HIPAA, PCI-DSS, SOC 2, GDPR, FISMA, and other frameworks impose specific requirements on employee security training that need to be incorporated into program design. For a detailed overview, see our guide on security awareness compliance. Identifying these obligations early ensures compliance is baked in rather than retrofitted.
Step 2: Define Your Program Structure
With a clear threat profile and defined objectives, you can make the structural decisions that determine what your program will look like in practice.
Simulation cadence. How often will you run phishing simulations? Monthly simulation is the standard recommendation for organizations committed to producing genuine behavioral improvement. Quarterly simulation is the practical minimum for programs with limited operational capacity. Annual simulation provides baseline measurement but produces minimal behavioral conditioning. Your cadence decision should reflect both your improvement objectives and your realistic capacity to execute.
Simulation scope. Will you simulate across the full organization or start with a subset? Full-organization simulation produces the most complete baseline data but may feel overwhelming to design and manage in an early program. A phased approach—starting with one or two highest-risk departments and expanding—is a legitimate alternative, as long as the expansion timeline is defined in advance.
Channel coverage. Will you simulate only email phishing, or include smishing and vishing as well? For most organizations building from scratch, starting with email simulation and adding additional channels in the second or third phase of program development is the most manageable approach.
Training delivery model. Will training be delivered exclusively as just-in-time microlearning triggered by simulation failures, or will you supplement with scheduled awareness content? Just-in-time training is the most effective delivery mechanism for behavior change, but scheduled content serves compliance documentation requirements that just-in-time alone may not satisfy. Most programs use both.
Reporting infrastructure. How will employees report suspicious emails? A dedicated report-phishing button in your email client is ideal. A forwarding address to the security team is a workable alternative. Whatever mechanism you choose, it should be prominently communicated and easy to use before you launch your first simulation—because encouraging reporting from day one is essential for building the reporting culture that distinguishes mature programs from basic ones.
Step 3: Select Your Platform
The platform you select will determine the capabilities available to you across simulation, training, reporting, and analytics. Key selection criteria are covered in detail elsewhere in the PhishSkill blog, but for the purposes of building from scratch, the most important factors are practical ones.
Can you get a campaign running within your first week without significant technical setup or IT coordination? If platform setup is a multi-week project, your program launch will be delayed and your momentum will dissipate. Prioritize platforms that offer fast, accessible onboarding.
Does the platform provide both simulation and just-in-time training in an integrated system? Platforms that require separate systems for simulation and training create administrative complexity that undermines the behavioral loop that makes just-in-time training effective.
Does the platform provide the compliance documentation your regulatory environment requires? If you have HIPAA, PCI-DSS, or other compliance obligations, confirm that the platform produces the specific documentation your auditors will expect before you commit.
Does the pricing model work for your organizational size? Enterprise platforms priced for large organizations are not the right choice for a hundred-person business. Small business pricing tiers should scale to your size without requiring a procurement process or multi-year contract commitment to access basic capabilities.
Step 4: Launch Your Baseline Campaign
Your first simulation campaign has one primary purpose: establishing a truthful baseline measurement of where your organization's phishing susceptibility actually stands before any training intervention.
To preserve the accuracy of this measurement, do not announce the campaign in advance. An announced simulation produces artificially low click rates that establish a false foundation for your program metrics. Employees behave differently when they know a test is coming. The behavioral data you need comes from how employees respond under normal conditions.
Select a realistic template for your baseline campaign—not the most sophisticated scenario you have available, but one that reflects the current threat environment and would plausibly reach your employees' inboxes. Overly obvious templates produce artificially low click rates. Excessively sophisticated spear phishing scenarios produce artificially high rates. A template at moderate difficulty, realistic and current but not exceptionally personalized, provides the most useful baseline.
Send the campaign to your full target audience in a single send window. Allow a measurement window of five to seven business days before closing the campaign and reviewing results.
When results arrive, document them carefully. Your baseline click rate, submission rate, reporting rate, and department-level breakdowns are the starting point against which every subsequent campaign will be compared. They should be preserved as the foundational measurement of your program and never retroactively adjusted to look more favorable.
Step 5: Communicate Transparently After the Baseline
After your baseline campaign is complete, communicate with your workforce about what has happened and what it means. This communication is one of the most important framing decisions you will make for the program's long-term success.
The communication should acknowledge that a simulation was conducted and explain why. It should describe what you observed at an aggregate level (without naming or shaming individuals), frame the results as a realistic starting point rather than a judgment of the workforce, and explain what the program will look like going forward—including simulation frequency, training delivery, and reporting expectations.
Critically, this communication should establish the program's culture: phishing simulations are not tests that employees pass or fail, and clicking a phishing link is not a punishable offense. They are learning exercises that exist to build the skills your workforce needs to protect themselves and the organization. Employees who report suspicious emails are doing exactly the right thing, and that behavior will be recognized and valued.
This framing sets the psychological conditions under which genuine behavior change is most likely to occur. Organizations that frame awareness programs punitively create cultures of concealment that undermine the reporting behaviors that make the program most valuable.
Step 6: Establish Your Regular Simulation Cadence
With your baseline established and workforce communication complete, the program moves into its operational rhythm. This rhythm—regular simulation, immediate training, consistent measurement—is the engine of behavior change that produces the results you established in your objectives.
Monthly simulation is the recommended cadence for most organizations, with variation in template types across campaigns to prevent pattern recognition from substituting for genuine phishing detection skill. Rotate through credential harvesting scenarios, business email compromise formats, helpdesk impersonation, supplier fraud attempts, and, eventually, multi-channel scenarios that include smishing and vishing.
After each campaign, review the results promptly. Note changes from prior campaigns—improvements to celebrate, deteriorations to investigate, new risk patterns to address. Update your program notes and, where results warrant, adjust the following campaign's template selection or audience segmentation.
Step 7: Build Your Training Content Foundation
Your simulation program generates the trigger events for training delivery, but the training content itself needs to be ready before those triggers occur. Building a training content foundation in parallel with your simulation cadence ensures that employees who click simulated phishing links receive immediately relevant, high-quality learning experiences.
At minimum, your training library should cover the following topics, each delivered as a short, standalone module:
Recognizing phishing indicators—how to examine sender addresses, identify suspicious links without clicking them, recognize urgency language as a social engineering signal, and evaluate unexpected requests critically.
Verification behavior—why and how to verify unusual requests through independent channels before complying, including how to do this in ways that feel professional and appropriate rather than paranoid.
Credential security—why credentials should never be entered on a page reached through a link in an email, how to navigate directly to legitimate login pages, and what to do if a credential submission has already occurred.
Reporting procedures—specifically how to report a suspicious email in your organization, what information to include, and why reporting matters for collective security.
As your program matures, additional modules on business email compromise, social engineering psychology, remote work security, multi-factor authentication, and data handling can be added to provide broader security awareness coverage. Using gamification and reward systems can also significantly improve long-term engagement with these modules.
Step 8: Establish Your Reporting Structure
A security awareness program that runs without regular reporting to leadership quickly loses organizational visibility and, with it, the budget and support it needs to function.
Build a reporting cadence from the beginning of the program. Determine who needs to see program results and at what frequency: security leadership (monthly or per-campaign), department heads (quarterly with department-level data), executive leadership (quarterly with organizational summary), and board or audit committee (annually or semi-annually with strategic context).
For each audience, define the format and content of the report. Operational reports for security leadership can include full campaign data. Executive summaries should focus on organizational resilience score trends, industry benchmark comparisons, and risk reduction narrative. Board-level reports should connect program metrics to business risk language.
Establishing this reporting structure early ensures that the program maintains stakeholder visibility throughout its lifecycle, not just during launch and after incidents.
Step 9: Conduct Your First Quarterly Review
After three months of consistent operation, conduct a formal program review that evaluates progress against your initial objectives, identifies what is working well and what needs adjustment, and sets refined targets for the next quarter.
Key questions for the quarterly review: Has the click rate changed since baseline? Is the trend in the expected direction? Are reporting rates improving? Is training completion where it needs to be? Are there departments or roles that are consistently underperforming and need targeted attention? Is the simulation template variety adequate, or are employees beginning to show familiarity with specific scenarios?
Use the answers to these questions to make deliberate adjustments to the program for the next quarter—template selection, simulation frequency for specific populations, training content additions, reporting enhancements.
This quarterly review process is what transforms a program that runs on autopilot into one that continuously improves and adapts. The organizations that produce the best long-term results are those that treat their awareness program as a living system rather than a configured product.
Step 10: Plan for Program Maturation
A security awareness program that looks the same in year three as it did in year one is a program that has stopped developing. The final step in building from scratch is planning, from the outset, how the program will mature as the organization's security posture and threat environment evolve.
Maturation milestones to plan for include: expanding simulation channels to include smishing and vishing; introducing more sophisticated, personalized spear phishing scenarios for high-risk employee segments; building a formal phishing resilience score and reporting it to executive leadership; integrating simulation data with SIEM and identity management platforms to enrich broader security intelligence; and developing role-specific training tracks that go beyond general phishing awareness to address the specific social engineering risks most relevant to different business functions.
These milestones do not all need to happen in year one. They need to be on the roadmap so that the program's development trajectory is planned rather than reactive.
What Realistic Progress Looks Like
Organizations that build their security awareness programs using this framework and execute consistently can expect the following approximate trajectory.
In the first three months, with baseline established and initial training underway, click rates often decline modestly—five to ten percentage points—as employees receive their first just-in-time training and develop initial phishing recognition skills. Reporting rates typically begin from near-zero for organizations with no prior reporting culture and may show only small initial increases as employees learn the reporting mechanism.
By the six-month mark, click rate improvement accelerates for organizations with consistent monthly simulation: another ten to fifteen percentage point improvement is typical. Reporting rates begin to climb more meaningfully as employees develop the habit and confidence to flag suspicious messages. Department-level variation in performance becomes more visible and actionable.
At twelve months, well-executed programs typically show click rates in the ten to twenty percent range regardless of starting point, with reporting rates in the fifteen to thirty percent range for organizations that have actively reinforced reporting behavior. The resilience score, if you have implemented one, should show a clear upward trend that provides compelling evidence of program effectiveness for leadership communication.
These are approximate trajectories, not guarantees. Program outcomes vary based on template difficulty, organizational size and complexity, workforce characteristics, and the consistency and quality of execution. What the trajectory shows is that meaningful, measurable improvement is achievable within a reasonable timeframe—and that it is directly proportional to the consistency and quality of the program you build.
The Bottom Line: Start Now, Improve Continuously
The most important thing to understand about building a security awareness program from scratch is that the perfect program is not a prerequisite for starting. The program that exists and runs consistently is vastly more valuable than the perfect program that has not been launched yet.
Start with a baseline simulation. Establish a reporting channel. Build a monthly cadence. Communicate transparently with your workforce. Review results and adjust. Every iteration makes the program more effective. Every month of consistent operation builds more behavioral change than any amount of planning ever will.
The organizations with the most effective security awareness programs did not build them perfectly on the first try. They built them iteratively, measured what mattered, and improved continuously over time.
That is the model. And it starts with your first campaign.
PhishSkill is designed to make launching and managing a security awareness program from scratch as fast and straightforward as possible—so the gap between decision and action is days, not months. Start your first campaign and establish your baseline today.
Related Reading
Not sure where to start? See Phishing Simulation Software for Small Business: A Complete Buyer's Guide or build your business case with How to Calculate and Prove Security Awareness Training ROI.
For a formal framework on building programs, refer to NIST SP 800-50 Revision 1: Building a Cybersecurity and Privacy Learning Program.
New to this topic? Start with: What Is Security Awareness Training? or explore Insider Threat Awareness Training.
More from the Blog
View all
Insider Threat Awareness Training: Building a Program That Protects Without Eroding Trust
Most insider incidents are accidental, not malicious. Learn the difference between insider threat monitoring and insider threat training, how to build a program that addresses negligent insiders without creating a culture of suspicion, and what truly effective insider threat awareness looks like.
Gamification in Security Awareness Training: Does It Actually Work?
Points, leaderboards, and badges are ubiquitous in security awareness training. But do they actually change behavior, or do they just drive engagement metrics? Explore the evidence behind gamification, when it helps, when it distracts, and how to combine it with simulation-based learning.
Dark Web Credential Exposure: What It Means for Your Employees and How Training Reduces the Risk
When employee credentials appear on the dark web, attackers have the keys to your kingdom. Discover how credentials get exposed, what attackers do with them, and how training on password hygiene, MFA, and credential phishing recognition becomes your best defense.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.